A single static IP is handled by GCE Network load balancing which distributes requests to two NGINX servers:

skia-skfe-1

skia-skfe-2

They, in turn, handle SSL and then distribute the calls to the backends: skiaperf, skiagold, skiadocs, skiapush, skiaalerts, etc. For the load balancing setup, see the cloud console page. The forwarding rule is named skfe-pool-rule, and the target pool is skfe-pool. To increase the capacity just add more skia-skfe-N servers to the target pool.

All nginx servers will use certpoller to provide certs, and will all handle *.skia.org traffic with a wildcard cert. The certs are stored in GCE Project Level Metadata and are updated via certpoller. The configurations for the nginx servers are handled as a push package that contains the nginx proxy rules for each backend.